Evolution-x-devices/device_google_wahoo
2
0
Fork 0
mirror of https://github.com/Evolution-X-Devices/device_google_wahoo synced 2026-02-01 07:50:47 +00:00
Code Issues Packages Projects Releases Wiki Activity
367 Commits 2 Branches 0 Tags
34ef0ea4ae0b4caac09fca165acd15cf1c912e4e
Commit Graph

132 Commits

Author SHA1 Message Date
Max Bires
34ef0ea4ae Removing permissive mode on pd_mapper domain. 
Bug: 34784662
Test: pd_mapper is in enforcing and the phone functions normally
Change-Id: I3306fb67dcecb8c256688312f5929be1599da10d
 2017-04-24 22:07:39 -07:00
TreeHugger Robot
2021e7ad05 Merge "Adding allows to fix perfd and setup_wizard denials" 2017-04-25 02:31:57 +00:00
Max Bires
3d06ccc559 Adding allows to fix perfd and setup_wizard denials 
denied { read write } for pid=1361 comm="Binder:1361_4" name="sdd4"
dev="tmpfs" ino=10187 scontext=u:r:system_server:s0
tcontext=u:object_r:block_device:s0 tclass=blk_file

denied { write } for pid=805 comm="perfd" name="scaling_min_freq"
dev="sysfs" ino=29879 scontext=u:r:perfd:s0
tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file

Test: Startup wizard no longer crashes a few times before working
Change-Id: I85425e00d1b834d0775ec940befec4ecee514df7
 2017-04-24 23:24:20 +00:00
TreeHugger Robot
ef4927ef50 Merge "Added allowing at_device to port-bridge." 2017-04-24 22:31:42 +00:00
Max Bires
2238a616bc Fixing boot blocking selinux policy. 
Following denials were blocking boot:

denied { read } for pid=589 comm="vold"
name="u:object_r:tee_listener_prop:s0" dev="tmpfs" ino=17236
scontext=u:r:vold:s0 tcontext=u:object_r:tee_listener_prop:s0
tclass=file

denied { read } for pid=555 comm="android.hardwar"
name="u:object_r:tee_listener_prop:s0" dev="tmpfs" ino=17236
scontext=u:r:hal_keymaster_qti:s0
tcontext=u:object_r:tee_listener_prop:s0 tclass=file

denied { read } for pid=555 comm="android.hardwar"
name="u:object_r:tee_listener_prop:s0" dev="tmpfs" ino=17236
scontext=u:r:vold:s0
tcontext=u:object_r:tee_listener_prop:s0 tclass=file

Bug: 37633957
Test: Device boots
Change-Id: I6be2bafde9a6f1d14802cfa39b170c55858a4d36
 2017-04-24 21:54:01 +00:00
Kyunam.jo
f22572013b Added allowing at_device to port-bridge. 
denied { read write } for pid=749 comm="port-bridge" name="at_mdm0" dev="tmpfs" ino=22585 scontext=u:r:port-bridge:s0 tcontext=u:object_r:at_device:s0 tclass=chr_file permissive=0
denied { read write } for pid=749 comm="port-bridge" name="at_mdm0" dev="tmpfs" ino=22585 scontext=u:r:port-bridge:s0 tcontext=u:object_r:at_device:s0 tclass=chr_file permissive=0
denied { read write } for pid=749 comm="port-bridge" name="at_usb0" dev="tmpfs" ino=21293 scontext=u:r:port-bridge:s0 tcontext=u:object_r:at_device:s0 tclass=chr_file permissive=0

Bug: 37628525
Test: Taimen is no longer blocked on boot
Change-Id: Ib2e1443471c822d20627286b090b2edc4de9578b
 2017-04-24 14:12:49 -07:00
TreeHugger Robot
990d8690d9 Merge "Moving these into permissive so global enforcing can be turned on." 2017-04-23 20:00:11 +00:00
Max Bires
a3e68ffd51 Moving these into permissive so global enforcing can be turned on. 
There are some issues with wi-fi calling that need these to be
individually flipped into permissive for now so that they can continue
to function.

Test: Wi-Fi calling works
Change-Id: Ib8dff8c5a6a9e7a0d702e558a950ce7315f78881
 2017-04-23 11:52:02 -07:00
Thierry Strudel
0b19015b63 Merge changes from topic 'avb' 
* changes:
  init.hardware.rc: start qseecomd on fs
  manifest.xml: add gatekeeper and keymaster definitions
  Add sepolicies for binderized QCOM KM 3.0 and GK 1.0 HAL
  device: don't use generic GK and KM HALs
  device: add frp prop
 2017-04-22 01:34:07 +00:00
TreeHugger Robot
9e55f530d9 Merge "VR hal to choose thermal config" 2017-04-22 00:51:40 +00:00
Roopesh Rajashekharaiah Nataraja
0d3ddf604b Add sepolicies for binderized QCOM KM 3.0 and GK 1.0 HAL 
Change-Id: Icb480b1072a70a7afd1296dc6feaec045d610b7a
 2017-04-21 16:37:22 -07:00
Alex Klyubin
e8a357824a Grant device-specific hwservicemanager access 
Test: In Google Camera app, take photo (HDR+ and conventional),
      record video (slow motion and normal), and check that photos
      look fine and videos play back with sound.
Test: Get location fix in Google Maps
Test: Make and receive a phone call, check that sound works both ways
      and that disconnecting the call from either end works fine.
Test: Run RsHelloCompute RenderScript demo app
Test: Run fast subset of media CTS tests:
      make and install CtsMediaTestCases.apk
      adb shell am instrument -e size small \
          -w 'android.media.cts/android.support.test.runner.AndroidJUnitRunner'
Test: Play music using Google Play music
Bug: 34454312

Change-Id: I7d70a240188e1f4eea1a57ed3ae33a1d7ee79559
 2017-04-21 13:06:23 -07:00
Badhri Jagan Sridharan
5fb5ea21b9 Add selinux rules for dumping usb debugfs logs 
Bug: 36178613
Test: ran adb bugreport and noticed the logs to be dumped.
Change-Id: I24ba5883f7ffd5faf5bd02d0dc362feb30011c09
 2017-04-21 18:38:38 +00:00
Wei Wang
6fc920280b VR hal to choose thermal config 
Test: thermal config changed enter/exit VR mode in muskie
Bug: 36514493
Change-Id: I3711f94e667684710afcf812dcb316a9a2ba86ef
 2017-04-21 11:21:57 -07:00
Max Bires
1cedb2bc80 Merge "declare keystore and vold as passthrough HAL clients of keymaster" 2017-04-20 20:03:23 +00:00
TreeHugger Robot
3d0f0c8ec1 Merge "Adding file_contexts and allows that stopped boot in enforcing." 2017-04-20 00:05:11 +00:00
Max Bires
55f59017a0 Adding file_contexts and allows that stopped boot in enforcing. 
At some point, changes were checked in that broke enforcing mode. The
following denials should now be fixed:

denied { read } for pid=15 comm="kworker/1:0" name="slpi_v2.b12"
dev="sda
20" ino=369 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_file:s0
tclass=file

denied { read } for pid=580 comm="vold"
name="android.hardware.keymaster@3.0-impl.so" dev="sda20" ino=802
scontext=u:r:vold:s0 tcontext=u:object_r:vendor_file:s0 tclass=file

denied { read } for pid=779 comm="keystore"
name="android.hardware.keymaster@3.0-impl.so" dev="sda20" ino=802
scontext=u:r:keystore:s0 tcontext=u:object_r:vendor_file:s0 tclass=file

denied { search read open } for pid=772 comm="port-bridge"
name="msm_subsys" dev="sysfs" ino=18985 scontext=u:r:port-bridge:s0
tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir

denied { read } for pid=772 comm="port-bridge" name="name" dev="sysfs"
ino=34583 scontext=u:r:port-bridge:s0
tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=file

denied { read } for pid=772 comm="port-bridge" name="subsys0"
dev="sysfs" ino=34591 scontext=u:r:port-bridge:s0
tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=lnk_file

denied { search } for pid=772 comm="port-bridge" name="soc0" dev="sysfs"
ino=51157 scontext=u:r:port-bridge:s0 tcontext=u:object_r:sysfs_soc:s0
tclass=dir

denied { read open getattr } for pid=772 comm="port-bridge"
name="soc_id" dev="sysfs" ino=51161 scontext=u:r:port-bridge:s0
tcontext=u:object_r:sysfs_soc:s0 tclass=file

denied { read write } for pid=4417 comm="android.hardwar"
name="vndbinder" dev="tmpfs" ino=17743 scontext=u:r:hal_drm_default:s0
tcontext=u:object_r:vndbinder_device:s0 tclass=chr_file

denied { read } for pid=3980 comm="m.android.phone"
name="libimsmedia_jni.so" dev="sda20" ino=918 scontext=u:r:radio:s0
tcontext=u:object_r:vendor_file:s0 tclass=file

denied { search } for pid=512 comm="ueventd" name="firmware" dev="sda41"
ino=246 scontext=u:r:ueventd:s0
tcontext=u:object_r:vendor_firmware_file:s0 tclass=dir

denied { read } for pid=1279 comm="ueventd" name="a530_pm4.fw"
dev="sda41" ino=251 scontext=u:r:ueventd:s0
tcontext=u:object_r:vendor_firmware_file:s0 tclass=file

Bug: 34784662
Bug: 37438752
Test: The phone successfully boots again
Change-Id: I21d9dc0f60b2cf383c66f8806eed1e1a83367c25
 2017-04-19 15:35:38 -07:00
Sandeep Patil
3be52c8f6e declare keystore and vold as passthrough HAL clients of keymaster 
This is a temporary fix until b/35810138 is resolved and keymaster is
enabled as binderized HAL on wahoo. This MUST be reverted with the fix
for b/35810138

Bug: 34784662
Test:

Change-Id: I298f4cd20e6471c01e8aff391ea6f7b802621f24
Signed-off-by: Sandeep Patil <sspatil@google.com>
 2017-04-19 15:03:10 -07:00
TreeHugger Robot
6cfe1a87b8 Merge "Add OemLock and Weaver HAL server policies for esed." 2017-04-18 14:50:47 +00:00
Max Bires
c6607276b3 Fixing denials for OTAs 
denied { read } for pid=818 comm="update_engine" name="sda13"
dev="tmpfs" ino=21751 scontext=u:r:update_engine:s0
tcontext=u:object_r:ab_block_device:s0 tclass=blk_file

denied { read } for pid=818 comm="update_engine" name="sda7" dev="tmpfs"
ino=21727 scontext=u:r:update_engine:s0
tcontext=u:object_r:modem_block_device:s0 tclass=blk_file

denied { getattr } for pid=818 comm="update_engine" path="/postinstall"
dev="sda43" ino=42 scontext=u:r:update_engine:s0
tcontext=u:object_r:postinstall_mnt_dir:s0 tclass=dir

Bug: 37305560
Test: These denials are not present
Change-Id: I47bc5743c58c4c56b95614f0a170d7af16ae2b53
 2017-04-17 11:39:48 -07:00
Sandeep Patil
59b3eaccd3 tag all vendor domains that rely on system executables 
Bug: 36463595
Test: lunch walleye-userdebug && make sepolicy

Change-Id: I7ec48b3109d66f9537e5834933ed28aa76da367e
Signed-off-by: Sandeep Patil <sspatil@google.com>
 2017-04-15 19:30:07 -07:00
Sandeep Patil
1f85c07202 make all vendor exec_types part of vendor_file_type 
Bug: 36463595
Test: lunch walleye-userdebug && make -j48 sepolicy

Change-Id: Idbc83b06edcb3eb2ea548a16ed93f711cda150c1
Signed-off-by: Sandeep Patil <sspatil@google.com>
 2017-04-15 19:23:59 -07:00
Andrew Scull
1b416dc8d2 Add OemLock and Weaver HAL server policies for esed. 
Test: Boot daemon and connect to HALs from framework.
Bug: 35628284
Change-Id: I43a1ad5df401f9e9c39d107311d6a670abdce2f0
 2017-04-15 14:42:59 +01:00
Roopesh Rajashekharaiah Nataraja
50ffa4a8d9 IMS: Define sepolicies for UCE 
UCE is user capability exchange functionality where the device notifies
the network its capabilities and can also find out the capabilities of a
different user from the network. Capabilities such as VoLTE,
Video Telephony, etc.

/external/ims/rcs contains the open source code that needs to interact
with the IMS stack in the modem. The UCE HAL acts as a bridge between
the ims stack in the modem and the open source code that provides
the UCE functionality that is used by Android Apps such as Phone and
Contacts.

Previous architecture was as follows:
UCE client app (aosp, system) <--> AIDL (AOSP) <-->
uce_service (system app) <--> (JNI vendor) <-->
(IMS libs: vendor) <--> modem

With Treble we have formed a clean separation between system and
vendor components: UCE app (aosp, system) <--> AIDL (aosp) <-->
UCEService <--> system/priv-app) <--> (HIDL, vendor) <-->
imrcsd (vendor daemon) <--> modem

Hope is that in future the vendor UCE HIDL is absorbed in AOSP and
we can deprecate the UCE Service system app altogether.

Add policies and permissions for UCE HAL service and UCE HAL client to
run and execute.

Bug: 37262741
Test: Check capability in contacts for VT calling

Change-Id: If426c1c046a2acd16ac30f25e15daf4aa0de1383
 2017-04-14 17:58:55 -07:00
Wei Wang
9f0befc870 sepolicy: thermal-engine.te: add shutdown permission 
With recently refactored android_reboot(), we need permission to set
powerctl_prop to trigger init to do reboot logic.

Bug: 37277184
Test: build
Change-Id: If687ef874d51c64795e6175a132c34b406c2b19c
 2017-04-13 10:37:17 -07:00
Alex Klyubin
662399ca0d Merge "Remove unnecessary sepolicy attributes" 2017-04-13 16:26:07 +00:00
Naveen Kalla
0266d437c7 Fix IMS Registration failure 
imsdatadaemon was failing due to selinux denials shown below

02-07 12:07:06.299 W imsdatadaemon: type=1400 audit(0.0:77): avc: denied
{ net_raw } for capability=13 scontext=u:r:ims:s0 tcontext=u:r:ims:s0
tclass=capability permissive=0
02-07 12:07:06.299 W imsdatadaemon: type=1400 audit(0.0:78): avc: denied
{ net_bind_service } for capability=10 scontext=u:r:ims:s0
tcontext=u:r:ims:s0 tclass=capability permissive=0
02-07 12:07:06.299 I auditd  : type=1400 audit(0.0:77): avc: denied {
net_raw } for comm="imsdatadaemon" capability=13 scontext=u:r:ims:s0
tcontext=u:r:ims:s0 tclass=capability permissive=0
02-07 12:07:06.299 I auditd  : type=1400 audit(0.0:78): avc: denied {
net_bind_service } for comm="imsdatadaemon" capability=10
scontext=u:r:ims:s0 tcontext=u:r:ims:s0 tclass=capability permissive=0

Test: Check IMS registration works on device with this fix
Change-Id: Ib0e5078d13f27ccec0ebea4f146d75f29153bf7c
 2017-04-12 23:07:59 -07:00
Alex Klyubin
0a7d71babe Remove unnecessary sepolicy attributes 
Test: mmm system/sepolicy
Bug: 34980020
Change-Id: Iefc2b9bbb32e91f8bb968aaad47d3512bf888a27
 2017-04-12 18:52:16 -07:00
Ecco Park
87a1142b73 Fix sepolicy issue for cnss-diag and cnss-daemon 
1) denial message for cnss-daemon
[  185.251957] type=1400 audit(1492021938.121:423): avc: denied { create } 
for pid=781 comm="cnss_diag" name="local_buffer" scontext=u:r:wcnss_service:s0
tcontext=u:object_r:cnss_vendor_data_file:s0 
tclass=dir permissive=1
[  185.258602] type=1400 audit(1492021938.121:424): avc: denied { setattr }
for pid=781 comm="cnss_diag" name="local_buffer" dev="sda45" ino=2179097
scontext=u:r:wcnss_service:s0 tcontext=u:object_r:cnss_vendor_data_file:s0
tclass=dir permissive=1

2) remove unused cnss_diag.te (instead, we use wcnss_service.te)

Bug: 36734870

Change-Id: Ie0d1a99adf0cde2616eaf099e2757407f43eb77d
Signed-off-by: Ecco Park <eccopark@google.com>
 2017-04-12 20:22:21 +00:00
Chris Thornton
93bfba0b34 Merge "The sound trigger hal needs to talk to /dev/wcd_dsp0_control for hotword." 2017-04-12 17:44:25 +00:00
Ecco Park
687c471c17 Merge changes Ice91de09,I0d05425d 
* changes:
  Pixel logger: fixed sepolicy issue for cnss_diag
  Enable local_buffer mode of cnss_diag
 2017-04-12 17:34:44 +00:00
TreeHugger Robot
c1308166b0 Merge "Allow logger_app to execute qlogd" 2017-04-12 17:01:37 +00:00
Siqi Lin
9b4825da94 Merge "sepolicy: Allow ramdump_app to access surfaceflinger_service" 2017-04-12 16:54:30 +00:00
Jie Song
0f258d3c4c Allow logger_app to execute qlogd 
Fix of following denial:

avc: denied { execute_no_trans } for path="/vendor/bin/diag_mdlog"
dev="dm-1" ino=72 scontext=u:r:logger_app:s0:c116,c256,c512,c768
tcontext=u:object_r:vendor_file:s0 tclass=file permissive=0

Bug: 37257559
Test: Pixel Logger can start diag_mdlog with no issue
Change-Id: I718949eb6d893be02c816ecbf32e0bd08e104be0
 2017-04-12 15:54:41 +00:00
Andrew Scull
fdd3c83a20 Merge "Add eSE daemon." 2017-04-12 12:38:03 +00:00
Chris Thornton
8f4fa5158e The sound trigger hal needs to talk to /dev/wcd_dsp0_control for hotword. 
Test: Ran on device after modifying policy
Change-Id: I0971a914fd50bcfb7d1823183950c45d2632cc42
 2017-04-11 21:31:29 -07:00
Adrian Salido
a60c8d7e89 power: rewrite battery stats parser 
Make parsing battery stats more extendable and switch to system_stats for
the battery stats.

Bug: 36064954
Test: dumpsys batterystats shows non-zero stats
Change-Id: I39c59f86cbb335da5796d23c0ff4a7435745b31e
 2017-04-11 19:05:04 -07:00
Ecco Park
46a2456715 Pixel logger: fixed sepolicy issue for cnss_diag 
Bug: 36734870

Change-Id: Ice91de09ef35c8ced0c3faccf65ddfacf8b64101
Signed-off-by: Ecco Park <eccopark@google.com>
 2017-04-12 01:40:31 +00:00
Siqi Lin
d9abe217aa sepolicy: Allow ramdump_app to access surfaceflinger_service 
Fixes the following denial which prevents Ramdump Uploader main
activity from displaying:

SELinux : avc:  denied  { find } for service=SurfaceFlinger pid=4901
uid=10120 scontext=u:r:ramdump_app:s0:c120,c256,c512,c768
tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager

Bug: 37209981
Test: manual - open Ramdump Uploader app, see no ANR
Change-Id: I3cf8ba627a7c850639d9f8a9aad0bd15ee77f0ee
 2017-04-11 15:23:34 -07:00
Max Bires
723bebb5ce Switching some vendor libraries over to same_process_hal_file type 
A lot of app domains were requesting vendor_file read access due to some
mislabeled .so files. This should fix that without granting read access
to vendor_file

Bug: 34784662
Test: .so files are properly labeled
Change-Id: I2aa69d54717af4c9274c979b01a717d991a03449
 2017-04-11 11:26:12 -07:00
TreeHugger Robot
c708f9fe23 Merge "Move logging folder from data to data/vendor" 2017-04-11 16:52:20 +00:00
Andrew Scull
2e50fd967f Add eSE daemon. 
It managed the eSE by accessing the driver through the /dev/pn81a node.

Test: Boot brings up esed which connects to the eSE.
Bug: 35628284
Change-Id: I6fa3384169adb60095585856accd53bc61d06cf4
 2017-04-11 14:32:10 +01:00
Max Bires
563a0851b2 Fixing the following denials 
denied { search } for pid=823 comm="ueventd" name="/" dev="sda7" ino=1
scontext=u:r:ueventd:s0 tcontext=u:object_r:firmware_file:s0 tclass=dir

denied { search } for pid=707 comm="qseecomd" name="/" dev="sda7" ino=1
scontext=u:r:tee:s0 tcontext=u:object_r:firmware_file:s0 tclass=dir

denied { read write open getattr } for pid=711 comm="ramdump"
name="sdd1" dev="tmpfs" ino=20349 scontext=u:r:ramdump:s0
tcontext=u:object_r:misc_block_device:s0 tclass=blk_file

denied { write add_name } for pid=964 comm="perfd" name="perfd"
dev="sda45" ino=3407877 scontext=u:r:perfd:s0
tcontext=u:object_r:system_data_file:s0 tclass=dir

denied { create } for pid=964 comm="perfd" name="default_values"
scontext=u:r:perfd:s0 tcontext=u:object_r:system_data_file:s0
tclass=file

denied { search } for pid=751 comm="android.hardwar" name="c17a000.i2c"
dev="sysfs" ino=22393 scontext=u:r:hal_vibrator_default:s0
tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir

denied { search } for pid=611 comm="android.hardwar" name="/" dev="sdd3"
ino=2 scontext=u:r:hal_graphics_composer_default:s0
tcontext=u:object_r:persist_file:s0 tclass=dir

denied { read execute open } for pid=727 comm="main"
name="libadsprpc.so" dev="sda20" ino=840 scontext=u:r:zygote:s0
tcontext=u:object_r:vendor_file:s0 tclass=file

denied { read execute } for pid=4970 comm="main" name="libadsprpc.so"
dev="sda20" ino=499 scontext=u:r:webview_zygote:s0
tcontext=u:object_r:vendor_file:s0 tclass=file

denied { unlink } for pid=8008 comm="rild"
name="uim_remote_client_socket0" dev="tmpfs" ino=26606
scontext=u:r:rild:s0 tcontext=u:object_r:qmuxd_socket:s0
tclass=sock_file

denied { write } for pid=691 comm="ramdump" name="sda45" dev="tmpfs"
ino=20680 scontext=u:r:ramdump:s0
tcontext=u:object_r:userdata_block_device:s0 tclass=blk_file

denied { search } for pid=5098 comm="m.android.phone" name="framework"
dev="sda20" ino=383 scontext=u:r:radio:s0
tcontext=u:object_r:vendor_framework_file:s0 tclass=dir

denied { read write } for pid=1377 comm="Binder:1366_1"
path="socket:[55679]" dev="sockfs" ino=55679
scontext=u:r:folio_daemon:s0 tcontext=u:r:system_server:s0
tclass=unix_stream_socket

denied { use } for pid=1377 comm="Binder:1366_1" path="socket:[55679]"
dev="sockfs" ino=55679 scontext=u:r:folio_daemon:s0
tcontext=u:r:system_server:s0 tclass=fd

denied { call } for pid=847 comm="folio_daemon"
scontext=u:r:folio_daemon:s0 tcontext=u:r:system_server:s0 tclass=binder

denied { getattr read open } for pid=3711 comm="dex2oat"
path="/system/vendor" dev="sda22" ino=2749 scontext=u:r:dex2oat:s0
tcontext=u:object_r:vendor_file:s0 tclass=lnk_file

denied { read } for pid=5338 comm="RenderThread"
name="gralloc.msm8998.so" dev="sda20" ino=793
scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:vendor_file:s0
tclass=file

denied { read } for pid=5161 comm="RenderThread"
name="gralloc.msm8998.so" dev="sda20" ino=793
scontext=u:r:platform_app:s0:c512,c768
tcontext=u:object_r:vendor_file:s0 tclass=file

denied  { module_load } for  pid=588 comm="insmod"
path="/vendor/lib/modules/synaptics_dsx_core_htc.ko" dev="sda20" ino=749
scontext=u:r:init-insmod-sh:s0 tcontext=u:object_r:vendor_file:s0
tclass=system

denied { read open } for pid=607 comm="servicemanager" name="current"
dev="proc" ino=45010 scontext=u:r:servicemanager:s0
tcontext=u:r:folio_daemon:s0 tclass=file

denied { getattr } for pid=607 comm="servicemanager"
scontext=u:r:servicemanager:s0 tcontext=u:r:folio_daemon:s0
tclass=process

denied { search } for pid=607 comm="servicemanager" name="871"
dev="proc" ino=45008 scontext=u:r:servicemanager:s0
tcontext=u:r:folio_daemon:s0 tclass=dir

denied { read write } for pid=3642 comm="Binder:1199_3"
path="socket:[45011]" dev="sockfs" ino=45011
scontext=u:r:folio_daemon:s0 tcontext=u:r:system_server:s0
tclass=unix_stream_socket

denied { call } for pid=871 comm="folio_daemon"
scontext=u:r:folio_daemon:s0 tcontext=u:r:servicemanager:s0
tclass=binder

denied { sys_module } for pid=976 comm="tc" capability=16
scontext=u:r:netmgrd:s0 tcontext=u:r:netmgrd:s0 tclass=capability

denied { sys_module } for pid=645 comm="Binder:645_2" capability=16
scontext=u:r:netd:s0 tcontext=u:r:netd:s0 tclass=capability

denied { open read } for pid=776 comm="ueventd" name="modem.mdt"
dev="sda7" ino=38 scontext=u:r:ueventd:s0
tcontext=u:object_r:firmware_file:s0 tclass=file

denied { write open } for pid=787 comm="perfd"
path="/dev/cpu_dma_latency" dev="tmpfs" ino=19589 scontext=u:r:perfd:s0
tcontext=u:object_r:device:s0 tclass=chr_file

Bug: 34784662
Test: The above denials are no longer present
Change-Id: I2d905d89d3375e5dd4820d34cc11223814514f27
 2017-04-11 01:26:29 -07:00
TreeHugger Robot
c37e2c4107 Merge "Enable binderized Thermal HAL." 2017-04-11 08:09:32 +00:00
Jie Song
33e42325ff Move logging folder from data to data/vendor 
diag_logs
cnss_diag
ramdump

Bug: 36734870
Test: Capture logs and check no SELinux denial
Change-Id: Iff035c2074d54a454ddd1b9e3c025ddbcf7ae40d
 2017-04-10 17:25:14 -07:00
Max Bires
bc99e5b908 Adding allows to handle the following denials 
denied { write } for pid=10249 comm="secdiscard" name="sda45"
dev="tmpfs" ino=19911 scontext=u:r:vold:s0
tcontext=u:object_r:sda_block_device:s0 tclass=blk_file

denied { create read } for pid=9183 comm="time_daemon" name="ats_2"
scontext=u:r:time_daemon:s0 tcontext=u:object_r:system_data_file:s0
tclass=file

denied { read write open } for pid=9183 comm="time_daemon" name="ats_2"
dev="sdd3" ino=33 scontext=u:r:time_daemon:s0
tcontext=u:object_r:persist_file:s0 tclass=file

denied { write add_name } for pid=9183 comm="time_daemon" name="time"
dev="sda45" ino=851969 scontext=u:r:time_daemon:s0
tcontext=u:object_r:system_data_file:s0 tclass=dir

denied { write } for pid=5959 comm="Binder:1415_9" name="timerslack_ns"
dev="proc" ino=138483 scontext=u:r:system_server:s0
tcontext=u:r:isolated_app:s0:c512,c768 tclass=file

denied { write } for pid=5365 comm="Binder:1415_8" name="timerslack_ns"
dev="proc" ino=123305 scontext=u:r:system_server:s0
tcontext=u:r:logger_app:s0:c112,c256,c512,c768 tclass=file

denied { connectto } for pid=9161 comm="omm.timeservice"
path=0074696D655F67656E6F6666 scontext=u:r:system_app:s0
tcontext=u:r:time_daemon:s0 tclass=unix_stream_socket

denied { read } for pid=5123 comm="m.android.phone" name="vendor"
dev="sda22" ino=2749 scontext=u:r:radio:s0
tcontext=u:object_r:vendor_file:s0 tclass=lnk_file

denied { getattr read open } for pid=5123 comm="m.android.phone"
path="/vendor/framework/qti-vzw-ims-internal.jar" dev="sda20" ino=385
scontext=u:r:radio:s0 tcontext=u:object_r:vendor_framework_file:s0
tclass=file

denied { write } for pid=888 comm="perfd" name="default_pwrlevel"
dev="sysfs" ino=33408 scontext=u:r:perfd:s0
tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=file

denied { read open } for pid=360 comm="kworker/u16:6"
name="synaptics_0.img" dev="sda20" ino=360 scontext=u:r:kernel:s0
tcontext=u:object_r:vendor_file:s0 tclass=file

denied  { read } for  pid=589 comm="init.power.sh" name="soc:qcom,cpubw"
dev="sysfs" ino=44524 scontext=u:r:init_power:s0
tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=lnk_file

denied { open read } for pid=668 comm="init.power.sh"
path="/sys/class/devfreq" dev="sysfs" ino=28440
scontext=u:r:init_power:s0 tcontext=u:object_r:sysfs:s0 tclass=dir

denied { write open } for pid=760 comm="android.hardwar" name="wlan"
dev="tmpfs" ino=20256 scontext=u:r:hal_wifi_default:s0
tcontext=u:object_r:wlan_device:s0 tclass=chr_file

denied { open getattr write } for comm="android.hardwar"
path="/sys/devices/soc/c17a000.i2c/i2c-6/6-005a/rtp_input" dev="sysfs"
ino=41310 scontext=u:r:hal_vibrator_default:s0
tcontext=u:object_r:sysfs:s0 tclass=file

denied { ioctl } for pid=880 comm="android.hardwar" path="/dev/uinput"
dev="tmpfs" ino=20584 ioctlcmd=5564
scontext=u:r:hal_fingerprint_default:s0
tcontext=u:object_r:uhid_device:s0 tclass=chr_file

Bug: 34784662
Test: The above denials are no longer present
Change-Id: Id259bdcbf4cf7a93b8c98b8a06addb99385d7588
 2017-04-10 15:39:09 -07:00
TreeHugger Robot
1602c1cf13 Merge "Refactoring block device labeling and adding allows." 2017-04-08 00:43:29 +00:00
Max Bires
ed261e9c7e Refactoring block device labeling and adding allows. 
Denials:
denied { write ioctl open } for pid=847 comm="folio_daemon"
name="uinput" dev="tmpfs" ino=20677 scontext=u:r:folio_daemon:s0
tcontext=u:object_r:uhid_device:s0 tclass=chr_file

denied { search } for pid=1553 comm="rild" name="netmgr" dev="tmpfs"
ino=21012 scontext=u:r:rild:s0 tcontext=u:object_r:netmgrd_socket:s0
tclass=dir

denied { read write open } for pid=689 comm="qseecomd" name="sdd2"
dev="tmpfs" ino=18308 scontext=u:r:tee:s0
tcontext=u:object_r:ssd_block_device:s0 tclass=blk_file

denied { read write open } for pid=771 comm="rmt_storage" name="sdd15"
dev="tmpfs" ino=18347 scontext=u:r:rmt_storage:s0
tcontext=u:object_r:modem_block_device:s0 tclass=blk_file

denied { getattr } for comm="android.hardwar" path="/dev/block/sda7"
dev="tmpfs" ino=18138 scontext=u:r:hal_bootctl_default:s0
tcontext=u:object_r:modem_block_device:s0 tclass=blk_file

denied { getattr } for comm="android.hardwar" path="/dev/block/sda22"
dev="tmpfs" ino=18194 scontext=u:r:hal_bootctl_default:s0
tcontext=u:object_r:system_block_device:s0 tclass=blk_file

denied { getattr } for comm="android.hardwar" path="/dev/block/sda3"
dev="tmpfs" ino=18122 scontext=u:r:hal_bootctl_default:s0
tcontext=u:object_r:ab_block_device:s0 tclass=blk_file

denied { getattr } for comm="android.hardwar" path="/dev/block/sda9"
dev="tmpfs" ino=18146 scontext=u:r:hal_bootctl_default:s0
tcontext=u:object_r:boot_block_device:s0 tclass=blk_file

Bug: 34784662
Test: The above denials are no longer present
Change-Id: I0a31ed76665a660e658a1e9000e07a9d312fb985
 2017-04-07 16:11:19 -07:00
Max Bires
8bfe8965a2 Adding allow rules and contexts to handle the following denials 
denied  { getattr } for  pid=580 comm="ueventd" name="sda20" dev="tmpfs"
ino=19514 scontext=u:r:ueventd:s0 tcontext=u:object_r:tmpfs:s0
tclass=blk_file

denied  { write } for  pid=580 comm="ueventd" name="uevent" dev="sysfs"
ino=44062 scontext=u:r:ueventd:s0
tcontext=u:object_r:sysfs_bluetooth_writable:s0 tclass=file

denied { search } for pid=826 comm="time_daemon" name="msm_subsys"
dev="sysfs" ino=16858 scontext=u:r:time_daemon:s0
tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir

denied { write } for pid=2934 comm="Binder:1189_4" name="timerslack_ns"
dev="proc" ino=38677 scontext=u:r:system_server:s0
tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=file

denied { write } for pid=3936 comm="Binder:1189_C" name="timerslack_ns"
dev="proc" ino=85544 scontext=u:r:system_server:s0
tcontext=u:r:platform_app:s0:c512,c768 tclass=file

denied { write } for pid=1201 comm="Binder:1189_2" name="timerslack_ns"
dev="proc" ino=83223 scontext=u:r:system_server:s0
tcontext=u:r:system_app:s0 tclass=file

denied { write } for pid=1584 comm="Binder:1189_3" name="timerslack_ns"
dev="proc" ino=81248 scontext=u:r:system_server:s0
tcontext=u:r:audioserver:s0 tclass=file

denied { write } for pid=1201 comm="Binder:1189_2" name="timerslack_ns"
dev="proc" ino=38795 scontext=u:r:system_server:s0
tcontext=u:r:priv_app:s0:c512,c768 tclass=file

denied { write } for pid=1584 comm="Binder:1189_3" name="timerslack_ns"
dev="proc" ino=86229 scontext=u:r:system_server:s0
tcontext=u:r:untrusted_app:s0:c512,c768 tclass=file

denied { write } for pid=4624 comm="Binder:1189_E" name="timerslack_ns"
dev="proc" ino=105556 scontext=u:r:system_server:s0
tcontext=u:r:radio:s0 tclass=file

denied { write } for pid=1201 comm="Binder:1189_2" name="timerslack_ns"
dev="proc" ino=26256 scontext=u:r:system_server:s0
tcontext=u:r:hal_audio_default:s0 tclass=file

denied { create } for pid=836 comm="perfd" name="default_values"
scontext=u:r:perfd:s0 tcontext=u:object_r:system_data_file:s0
tclass=file

denied  { find } for service=qti.ims.ext pid=3750 uid=1001
scontext=u:r:radio:s0 tcontext=u:object_r:imscm_service:s0
tclass=service_manager

denied { lock } for comm="ip6tables" path="/system/etc/xtables.lock"
dev="sda22" ino=968 scontext=u:r:netmgrd:s0
tcontext=u:object_r:system_file:s0 tclass=file

denied { getattr } for comm="android.hardwar"
path="/sys/devices/soc/c17a000.i2c/i2c-6/6-005a/leds/vibrator/duration"
dev="sysfs" ino=46884 scontext=u:r:hal_vibrator_default:s0
tcontext=u:object_r:sysfs:s0 tclass=file

denied { open } for comm="android.hardwar"
path="/sys/devices/soc/c17a000.i2c/i2c-6/6-005a/leds/vibrator/activate"
dev="sysfs" ino=46883 scontext=u:r:hal_vibrator_default:s0
tcontext=u:object_r:sysfs:s0 tclass=file

denied { read } for comm="android.hardwar" name="vibrator" dev="sysfs"
ino=41304 scontext=u:r:hal_vibrator_default:s0
tcontext=u:object_r:sysfs_leds:s0 tclass=lnk_file

denied { search } for comm="android.hardwar" name="leds" dev="sysfs"
ino=27814 scontext=u:r:hal_vibrator_default:s0
tcontext=u:object_r:sysfs_leds:s0 tclass=dir

denied  { add } for
service=com.fingerprints.extension.IFingerprintNavigation pid=884
uid=1000 scontext=u:r:hal_fingerprint_default:s0
tcontext=u:object_r:fingerprint_service:s0 tclass=service_manager

denied { open } for pid=9391 comm="cat"
path="/sys/devices/virtual/thermal/cooling_device0/type" dev="sysfs"
ino=44002 scontext=u:r:hal_dumpstate_impl:s0
tcontext=u:object_r:sysfs_thermal:s0 tclass=file

denied { read } for pid=9391 comm="cat" name="type" dev="sysfs"
ino=44002 scontext=u:r:hal_dumpstate_impl:s0
tcontext=u:object_r:sysfs_thermal:s0 tclass=file

denied { search } for pid=9391 comm="cat" name="thermal" dev="sysfs"
ino=28795 scontext=u:r:hal_dumpstate_impl:s0
tcontext=u:object_r:sysfs_thermal:s0 tclass=dir

denied { getattr } for pid=9381 comm="ls"
path="/sys/kernel/debug/ion/heaps/secure_heap" dev="debugfs" ino=10246
scontext=u:r:hal_dumpstate_impl:s0 tcontext=u:object_r:debugfs:s0
tclass=file

denied { open } for pid=9381 comm="ls"
path="/sys/kernel/debug/ion/heaps" dev="debugfs" ino=9218
scontext=u:r:hal_dumpstate_impl:s0 tcontext=u:object_r:debugfs:s0
tclass=dir

denied { read } for pid=9381 comm="ls" name="heaps" dev="debugfs"
ino=9218 scontext=u:r:hal_dumpstate_impl:s0
tcontext=u:object_r:debugfs:s0 tclass=dir

denied { search } for pid=5401 comm="surfaceflinger" name="clients"
dev="debugfs" ino=8429 scontext=u:r:surfaceflinger:s0
tcontext=u:object_r:debugfs_ion:s0 tclass=dir

denied { search } for pid=5294 comm="android.hardwar" name="clients"
dev="debugfs" ino=8429 scontext=u:r:hal_audio_default:s0
tcontext=u:object_r:debugfs_ion:s0 tclass=dir

denied { write } for comm="android.hardwar" name="activate" dev="sysfs"
ino=46883 scontext=u:r:hal_vibrator_default:s0
tcontext=u:object_r:sysfs_leds:s0 tclass=file

denied { lock execute_no_trans } for comm="rild" path="/vendor/qcril.db"
dev="sda20" ino=1019 scontext=u:r:rild:s0
tcontext=u:object_r:vendor_file:s0 tclass=file

Bug: 34784662
Test: The above denials are no longer occuring

Change-Id: I7931a8c3ed8bdfb7190d6c5c14a11525dca5be3a
 2017-04-07 19:57:13 +00:00
Connor O'Brien
3c7822edf1 Merge "wahoo: use binderized boot HAL" 2017-04-06 20:24:11 +00:00